Google’s built-in factory reset option can leave your data exposed even after a reset. Here’s why a factory reset doesn’t wipe all your data, and what you can do about it before you sell your smartphone.
There are various good reasons to perform a factory reset: fixing bugs following an Android update, general housekeeping for maintaining Android performance, and supposedly wiping all data from your phone.
The factory reset, we’ve always been told, will delete all data, accounts, passwords and content from your Android device. The problem is, this is only partially true.
For example, the security firm Avast bought 20 used cell phones off eBay and used readily available recovery software to recover incredible amounts of personal data from the devices, including 40,000 photos, 1,000 Google searches, hundreds of emails, and even a loan application. It's scary to imagine what others might find on your phone after you sell it.
Reset to factory settings: why doesn't it work?
The factory reset problem was uncovered by some Cambridge University researchers in the first major study of this taken-for-granted Android security feature. The researchers tested a range of second-hand Android devices running several different Android versions and found that in all cases they were able to recover account tokens – which are used to authenticate you once a password is entered the first time – from service providers such as Google, Facebook and WhatsApp. In a staggering 80 percent of cases, they were able to recover the master token.
The master token is essentially the key to the front door, the equivalent of installing a top-notch security system and then hiding the key under the doormat. Once a master token is recovered, the user’s credential file can be restored and all your data re-synced to the device: that means emails, cloud-stored photos, contacts and calendars.
Why is private data recoverable even after a factory reset?
There are a few reasons. Part of the blame is with the manufacturers who simply don’t provide the software required to fully wipe flash storage. Likewise, flash storage is notoriously hard to wipe, and of course, Google is to blame for not providing a more fail-safe option for users.
The researchers went on to note that while security and antivirus companies may use these findings to promote their own tools and services that the only real solution was likely to come from the vendors themselves.
Unfortunately, even devices with built-in encryption are not safe from these weaknesses. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers.
How to factory reset properly, removing all your data
The main things you can do to protect yourself is to encrypt your phone. The option to encrypt your phone will be located in different places in your device's settings depending on the manufacturer, but in general, it can be found in Settings > Security > Encrypt phone. If your phone comes with Android 6.0 or above, it may already be encrypted by default.
When you encrypt your device, use a strong, randomly-generated password that contains a mixture of upper- and lower-case letters, numbers and symbols and which is at least 11 characters long. The issue with this is that it so awkward to type on a regular basis that most users simply won’t do it.
Alternatively, once a phone has been factory reset, the flash storage can be refilled with useless data to overwrite the tokens and cryptographic keys left in flash storage. This could be done in a rudimentary way with a few large video files, or with an app made for this purpose. There are several highly-rated apps available on the Play Store, like Secure Erase with iShredder 6. (Of course, if you want to be extra safe while using an app to fill the phone with dummy data, it would need to be installed outside of Google Play to avoid a Google token being registered on the device once again.)
This solution, however, raises issues for users that find themselves with a lost or stolen device, or for those devices that have been remotely wiped with Android Device Manager. Until a legitimate solution can be found, just be careful who you sell your second-hand phone to.
Have you sold a phone in the past? Did you think a factory reset would protect your data? Share your thoughts in the comments.